| NNTP's a good case, because the traffic that runs over it
| is fairly well bounded -- my NNTP server expects that whatever is
| talking to it is also talking NNTP. So the damage it can do me is
| limited to whatever you can do to me via NNTP or protocol bugs in
| my NNTP server software. Assuming "ah, that's UUNET's NNTP server
| so I'll let it execute commands on my machine" is where I have to
| draw a line in the sand. :)
I believe there were some bugs in parts of the posting of articles
to moderated newsgroups. The article would then be mailed to the
moderator, but there where no checks for special metacharacters in
the body of the mailed article. In this way it would be possible to
get to the id of the nntp-daemon at least.
I also vaguely remeber something about control messages; being able
to use the '^' in the argument. This is probably a much less serious
bug since the environment when 'sendsys' and other commands are sent
are pretty restricted anyway.
I would not consider the nntp subsystem secure, anyway.
/Christian W, cwe @